Choose a logging destination

HTTP Event Collector is ideal when you want to log data from your Java application in any of the following scenarios:

Sending events directly to Splunk Enterprise rather than requiring writing to disk and installing a forwarder.

Sending data securely to Splunk Enterprise, with the option of an HTTPS connection and a unique token.

Sending data at a high volume and frequency.

Alternately, you can log to a TCP input directly, or by logging to a file and then using a Splunk Universal Forwarder to monitor the file and send data any time the file is updated. The latter option gives you the features of the Splunk Universal Forwarder, plus added robustness from having persistent files. In either case, you can use the SplunkCimLogEvent class provided by this library to construct your log events according to Splunk-recommended best practices.

Get familiar with data inputs

Before using Splunk logging for Java, you should understand how the data input type you choose works in Splunk Enterprise and what you need to configure the input.

HttpInputLoggingErrorHandler: Provides an HTTP Event Collector error handler to which your application can subscribe to catch error responses from the Splunk Enterprise server.

HttpInputLoggingEventInfo: Provides a container for event data.

The HttpInputEventSender class is an internal helper class that is used by the other classes in the library. Do not use this class.

TCP inputs

The following classes are available for logging to TCP inputs:

SplunkCimLogEvent: Encapsulates the best practice logging semantics recommended by Splunk. Events created with this class contain key-value pairs, properly formatted and quoted for logging with any of the standard logging libraries for Java (Logback, Log4j 2, and java.util.logging) and indexing by Splunk Enterprise. SplunkCimLogEvent has convenience methods to set the fields defined in the standard Splunk Common Information Model (CIM).

TcpAppender: Writes logging events to a TCP input. This class extends from the ch.qos.logback.core.AppenderBase<E> class, and is included with Splunk logging for Java because Logback does not include a usable appender for TCP sockets.

Other considerations

Resilience

All of the appenders mentioned in the documentation attempt to reconnect in case of dropped connections.

Load balancing

To set up HTTP Event Collector in a load-balanced environment, see Scale HTTP Event Collector with distributed deployments in Getting Data In.
For TCP inputs, you can set up a Splunk Universal Forwarder, and then have all your logging sources write to that TCP input. Use the load-balancing features of the Splunk Universal Forwarder to distribute the data from there to a set of indexers.

Thread safety

For HTTP Event Collector, the adapters for Log4J, Logback, and java.util.logging are thread-safe. For TCP inputs, the adapters for Log4J and Logback are thread-safe.

Questions?

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website.
Learn more (including how to update your settings) here »